Small black and began to toss new things, last week just learned OpenSSL construction private CA, Saturday took a bit of time to write this script, time Rush, finish to go to the DNS, if there are any bug please forgive me, this script is purely practice, used to practice OpenSSL, awk, sed and other knowledge points.
Let's start with the simple steps for building a private CA (the following is the default installation path):
(1) Generate the private key;
~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)
(2) Generate self-signed certificate;
~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655
-new: Generate a new certificate signing request;
-x509: Generate a self-signed format certificate, designed to create a private CA;
-key: The private file path used to generate the request;
-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;
-days: The valid duration of the certificate, the Unit is day;
(3) Provide the required directories and documents for the CA;
~]# Mkdir-pv/etc/pki/ca/{certs,crl,newcerts}
~]# Touch/etc/pki/ca/{serial,index.txt}
~]# echo >/etc/pki/ca/serial
This script analyzes the openssl.conf file to obtain the relevant path, and then through the command to build a private CA, the relevant information from the visa book through the array to save through the echo command to generate a self-visa book. The specific script content is as follows:
#!/bin/bash#program:# this program is used to Creat ca#history: #2016/4/9 xiaohei v1.0#blog:http:// zww577593841.blog.51cto.com/6145493/1750689# #私有CA存放目录 # dir #已颁发的证书的存放目录 # certs# The storage directory of revoked certificates # crl_dir# of the new certificate # new_certs_dir# the current certificate's serial number save the file # serial# the index file of the issued certificate # database#ca the self-visa book # Certificate#ca the location of the private key # private_key#openssl.conf configuration file declare conffile=/etc/pki/tls/openssl.cnf# Define an array to save some of the property names that need to be saved in the CA configuration file declare -a varvar= ("dir" "certs" "Crl_dir" "New_certs _dir " " Serial " " database " " certificate " " Private_key ") #临时文件和目录declare -a Tempfiletempfile= ("./ca_default.txt" "./ca_value.txt") #必要的文件和目录declare -a creatfiledeclare -a creatdircreatfile= ("Serial" "Database") creatdir= ("certs" "Crl_dir" "New_certs_dir ") #openssl. conf about CA related Properties Declare -a ca# information to be filled in from the Visa book: Country (two letters in uppercase), province, city, company, department; hostname; mailbox (optional) cainfo= ("CN" "Beijing" "Beijing" "Blackboy" "Ops" "ca.blackboy.com" "[email protected]" ) #信号捕捉trap ' Mytrap ' intmytrap ( ) { clean_temp echo -e "\033[31mexit\033[0m" exit} #清理临时文件和变量及数组clean _temp () { for (i=0;i<${#tempfile [*]};i++));d o mv -f ${tempfile [$i]} /tmp/ done unset -v conffile unset -v var unset -v tempfile unset -v ca unset -v creatfile unset -v creatdir unset -v cainfo} #分析文件或者目录是否存在 analyse_file_dir () { if [ -f "$" ];then echo -e "\033[ 32mfile $1 exist\033[0m " return 0 elif [ -d "$" ];then echo -e "\033[32m$1 is exist\033[0m" return 0 else echo -e "\033[31m$1 is not exist\033[0m" &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;RETURN&NBSP;1&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;FI} #创建需要的文件creat_ File () { touch "$" analyse_file_dir "$" &> /dev/null && echo -e "\ 033[32mcreat $1 successful\033[0m " | | &NBSP;RETURN&NBSP;1&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;RETURN&NBSP;0} #创Required directory Creat_dir () { mkdir -pv "$" analyse_file_dir "$" &> /dev/null && echo -e "\033[33mcreat $1 successful\033[0m" | | return 1 return 0}# Analyze and obtain some information about the openssl.conf file referred to by the path saved by the Conffile variable analyse_conf () {analyse_file_dir $1 | | exit 1# get the content of the configuration file itself by sed sed -n '/\[ ca_default/,/##/[email protected] [#].*@ @gp ' $1 | sed ' s/=/ = /g ' > ${ Tempfile[0]} #通过awk格式化上步得到内容并保存到临时文件中awk '/^[^[:space:]]/{a[$1]=$3}end{for (i in a) {printf "" I "=%s \ n ", A[i]};} ' &NBSP;${TEMPFILE[0]}&NBSP;&NBSP;>&NBSP;${TEMPFILE[1]} #定义局部变量保存dir项的路径local dir=$ (sed -n ' s/^ Dir=//p ' ${tempfile[1]}) #配置文件中 $dir instead of Dir, revert to its true path and save it in a temporary file sed -i "[email protected][$][email protected][email protected]" ${tempfile[1]}echo " The current openssl configuration "cat ./ca_value.txtecho " ########################### ###### "#把配置文件中查找到的属性信息保存到关联数组中for ((i=0;i<${#var [*]};i++));d o ca["${var[$i]}"]=$ (awk -f "=" ' {if ($1~/^ ' ${var[$i]} ' $/) {print $2}} ' ${tempfile[ 1]}) Done} #创建私钥creat_private_key () { #取文件所在目录名, created if directory does not exist analyse_file_dir ${1%/*} | | creat_dir ${1%/*} | | return 1 #创建私钥, size 4096, and set the permissions of the created private key file to only the current user can read and write (umask 077; openssl genrsa -out $1 4096) #分析私钥是否创建完成 analyse_file_dir $1 &> /dev/null && echo -e "\033[ 32mcreat private key successful\033[0m " | | return 1 echo "OK" return 0} #生成自签证书creat_cacert () { local info #生成签发证书时要填写的信息 for (i=0;i<${#cainfo [*]};i++);d o info= "$info ${cainfo[$i]}\n" done #签发证书 echo -e "$info" | openssl req -new - X509 -key $1 -out $2 -days 3655 #分析证书是否正常生成 analyse_file_dir $2 &> /dev/null && echo -e "\033[ 32mcreat cacert successful\033[0m " | | &NBSP;RETURN&NBSP;1} #如果openssl. conf file does not exist directly exit analyse_conf $conffile | | exit 1# creates the necessary files and directories and exits for if creation fails ((i=0;i<${#creatfile [*]};i++));d o analyse_file_dir ${ca[${creatfile[$i]}]} | | creat_file ${ca[${creatfile[$i]}]} | | exit 1donefor ((i=0;i<${#creatdir [*]};i++));d o analyse_file_dir ${ca[${creatdir[$i]}]} | | creat_dir ${ca[${creatdir[$i]}]} | | exit 1done# Add a number echo "01 >>>>> ${ca[serial]}" to the certificate number file serial Echo "" " > ${ca[serial]} #调用函数创建CA的Private Key creat_private_key ${ca[private_key]} | | exit 1# Create CA self-visa book creat_cacert ${ca[private_key]} ${ca[certificate]} | | exit 1# View Certificate Contents openssl x509 -in ${ca[certificate]} -noout -serial -subject# clean up the variables, arrays, and temporary files generated during the installation clean_temp
The script runs with the following results:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7E/DA/wKiom1cK-FSBxwehAABzevAcUOA223.png "style=" float: none; "title=" Image 145.png "alt=" Wkiom1ck-fsbxwehaabzevacuoa223.png "/>
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7E/D7/wKioL1cK-RGgFEfoAACNMscYOKo467.png "style=" float: none; "title=" Image 146.png "alt=" Wkiol1ck-rggfefoaacnmscyoko467.png "/>
Please forgive me for the hasty and unexplained part.
This article is from the "Little Black" blog, please be sure to keep this source http://zww577593841.blog.51cto.com/6145493/1762491
Small black Daily Toss-up a shell script to quickly build a private CA